The advantages of digitalization are well documented and understood, especially in health care. Patients, for example, benefit when their doctors can access critical data by simply plugging a device into a wall jack. That wall jack typically connects to every other connected device in the hospital. If the hospital is part of an MPLS network then the scale of access and convenience is even greater.

Patients benefit because those caring for them are more productive, more knowledgeable and faster to respond. The problem, however, is that easy access can extend beyond the wall jack to the internet.

Digitalization can expose more critical care processes and controls to the internet and that’s a big problem.

Two years ago this week WannaCry took down hundreds of thousands of systems globally in a matter of hours, including about a third of England’s hospital trusts and 8% of the nation’s general practitioner offices. In June we’ll note the anniversary of NotPetya, one of the most devastating cyber attacks of all time. Like WannaCry, it had devastating impacts, including hospitals and clinics. And WannaCry is still out in the wild, continuing to infect computers:

In its global list of countries where WannaCry variants have been detected over the past two years, India is at the top with 727,883 WannaCry infections, followed by Indonesia (561,381), the US (430,643), Russia (356,146) and Malaysia (335,814).

While tens of thousands of appointments, including surgeries, were cancelled or scheduled, no one has yet to die because of a cyber attack. Hospitals are starting to realize that there are 1000’s of devices connected to Hospitals that if breached, could hurt or worse kill someone. These include devices that deliver medication, drugs, chemotherapy and radiation.

A recent study predicted that by 2020 70% of medical devices will be running on unsupported, insecure operating systems, many of which are tied to patient care(CSO Australia):

The Department of Homeland Security last year issued 30 advisories about cybersecurity vulnerabilities in medical devices, up from 16 the year before, according to MedCrypt, which makes security software for medical devices.

The situation is getting worse just as we commemorate the rise of powerful cyber attacks and ransomware:

Reports show that ransomware and other cyberattacks are on the rise — and health care is one of the biggest targets. Just this week, researchers in Israel announced that they’d created a computer virus capable of adding tumors into CT and MRI scans — malware designed to fool doctors into misdiagnosing high-profile patients, Kim Zetter reports for The Washington Post.

Hospitals are attractive targets because they have a shared infrastructure. Like an airport, they also have lots of 3rd party vendors working on the same L2 network through hundreds of VPNs, some connected directly to critical care equipment. Giftshops, vending machines, bio-medical services, laboratories can also share that same common network.

Hospitals often have no idea what’s on their network at a particular moment. They’re often using networks built incrementally over decades and no one ever made a map. Very few have done any inventory of connected devices. And those devices can be plugged and unplugged from the network in seconds. Many of them are running outdated and unpatched. operating systems.

Around 10% of the devices on hospital networks run outdated operating systems (XP, Windows 2003 as examples). Hospitals are also starting to realize that there are 1000’s of connected devices that if breached, could hurt someone. These include devices that deliver medication, drugs, chemotherapy and radiation.

So as hospitals converge OT/IT infrastructure new demands, from attack surface, to vector sprawl confront firewalls and segmentation solutions architected for quite different challenges. See Happy Birthday WannaCry…

Microsoft is warning that the Internet could see another exploit with the magnitude of the WannaCry attack that shut down computers all over the world two years ago unless people patch a high-severity vulnerability. The software maker took the unusual step of backporting the just-released patch for Windows 2003 and XP, which haven’t been supported in four and five years, respectively.

“Exploitation of the vulnerability, as described in the advisory, would simply require someone to send specific packets over the network to a vulnerable system that has the RDP service available,” Brian Bartholomew, a senior security researcher on Kaspersky Lab’s Global Research and Analysis Team, told Ars in an email. “In the past, exploits for this service have been pretty easy to craft once the patch is reversed. My best guess is that someone will release an exploit for this in the next few days.”

A different security company, CyberX, analyzed traffic from 850 operational technology systems, which are used to manage factory production lines, gas monitoring, and other types of industrial operations. Researchers found that 53 percent of them run unsupported versions of Windows, many of which are likely affected by the just-patched vulnerability.The lack of upgrading stems from the difficulty of taking computers offline in mission-critical environments that operate continuously. Phil Neray, VP of industrial cybersecurity at Boston-based CyberX said a stop-gap measure for these companies is implementing compensating controls such as network segmentation and continuous network monitoring.

WannaCry and NotPetya, two of the most devastating cyber attacks of all time, have at least two things in common: 1) both were able to spread quickly around the world in hours; and 2) and effortlessly spread beyond IT assets into OT devices. They also occurred within a few weeks of each other. Yes, we’re about the celebrate the birthday of yet another devastating attack.

Network segmentation solutions have had there share of issues when it comes to deployment, especially internal political and technical challenges –see the Zero Trust Paradox. Complexity behind the firewall has escalated to such an extent that security innovation on a macro-scale is almost impossible without transforming the TCP/IP stack. That’s the old news: network segmentation pain.

With OT/IT convergence attacks like WannaCry and NotPetya have a massive global attack surface of interconnected IIoT things that have the potential for catastrophic effects:

Tod Beardsley, director of research at security firm Rapid7, said an alternate Internet scanner, BinaryEdge, shows there are an estimated 16 million endpoints exposed to the Internet on TCP ports 3389 and 3388, which are typically reserved for RDP. – Ars Technica

Traditional firewall and segmentation solutions were not architected to protect massively converged infrastructures of IoT, IIoT and IT systems. They were created in a different era of security with very different challenges. As a result the defense in depth stack has become complex and expensive. Yet innovation outside what we used to call the perimeter continues to gather increasing levels of sophistication, from cryptocurrency ransomware to aaS delivery models.

Recent CyberX research indicates that more than half of industrial sites run unsupported Windows machines, making them potentially vulnerable. There’s not much opportunity to test the impact of a patch on those types of systems, much less to interrupt operations to install them.

That applies to health care systems, too, where the process of updating critical software could interrupt patient care. Other businesses run specialized software that’s incompatible with more recent Windows releases; practically speaking, they’re trapped on XP. And while the best way to protect yourself from this latest vulnerability—and the countless others that now plague unsupported operating systems—is to upgrade to the latest version of Windows, cash-strapped businesses tend to prioritize other needs. – Brian Barrett

The net result: millions of devises running XP won’t be able to be patched (in time or perhaps never) and the traditional security stack is already overtaxed by stack fatigue.

Or The Zero Trust Graveyard… your choice.

I just glanced through an analyst report on “zero trust” and noted the sizable eco-system of startups and security cartel players who have all managed to join the party. After all, it’s a noble aim. If there isn’t a way for an untrusted user, app or file, etc. to enter a TCP/IP network from the internet that would be a great thing. A great thing indeed.

Yet startups embracing zero trust in their messaging have had little success. And I don’t think its because the security cartel players embracing zero trust (perhaps merely for thought leadership points) have succeeded.

What is the zero trust problem hinted at by the analyst? Why is there a higher correlation between zero trust startups and new office space filled with old cubicles… than with hackers declaring bankruptcy?

I have a theory, inspired by conversations with security execs who’ve dabbled in the use of zero trust firewall and segmentation solutions.

The Zero Trust (Complexity) Paradox

For traditional TCP/IP-architected security solutions the security landscape (defense in depth) is so complex that anything added ends up creating more complexity than actual enforcement efficacy. In short, it’s a declining sum game, where every new investment ends up costing you more because of stack fatigue.

I’d prefer to call this zero sum scenario a zero trust paradox. Rising complexity makes it harder for innovation to have a meaningful impact. Deployment is politically and/or technically painful and protracted because of the limited “elbow room” for innovation. And security stacks are getting even more complex as IIoT devices are being added at a healthy clip.

Cities are getting poorer while hackers are getting richer. Indeed, rising complexity is more likely a hacker’s playground than an increasingly secure infrastructure.

This came out loud and clear over an incredible steak dinner with an old friend with some major security insight and responsibilities. So I won’t name him. 🙂

In the heady days of massive network infrastructure growth there was a single analyst who knew the vendors cold. And all of us on the Wall Street briefing circuit knew Gabe Lowy.

Gabe didn’t waste time with small talk. On the way to the conference room he would ask you a few questions, then tell you what you were about to tell him, from your product update to your competitors’ strengths and weaknesses. And you hadn’t even fired up your laptop…

And why, you ask, is reminiscing about Gabe’s insight in the early days of enterprise networking important to cyber security for converged infrastructures?

In addition to pointing out the inherent problems with today’s “business as usual” mindset when it comes to physical cyber risks, Gabe offered a solution. He drew an insightful parallel between the emergence of DevOps and the much-needed convergence of OI/IT, and what happens if that doesn’t happen.

A common, blended organization tackling both makes the most sense. The alternative, which cannot be fixed by money or trained personnel, is a bigger deal than losing email and social security numbers…

A chilling Unsolicited Response podcast on Marine Cybersecurity with a Master Mariner at Moran Cyber is a wake up call, and not just for the risks of ships being hijacked by hackers. At about ten minutes there is a discussion about the common control infrastructures between ships and hospitals, factories and office buildings.

In a nutshell, with converged infrastructure virtually any “smart” physical environment is hackable. I wrote a Tempered blog (The Stakes are Higher than Ever) in response to the podcast: “These systems control the physical environment. Whomever controls them controls virtually everything.”

Forbes: Are Smart And Sustainable Buildings An Unsolvable Equation?

Tempered CEO Jeff Hussey weighed in on the issue of convergence in Forbes as he also explained what motivated organizations to make their facilities smart. But there is a catch:

Despite the sizable number of positive business impacts IoT devices can have on businesses, many organizations have balked at the idea of deploying IoT devices and control systems, citing an overwhelming level of complexity and a lack of personnel with IoT training as their reasoning. The gap in IoT skills is a direct result of the information technology (IT) and operational technology (OT) convergence. Unfortunately, bridging that gap isn’t an easy equation. Simply adding IT staff to an OT team does not produce the correct answer. It’s back to complex mathematics again.

Connecting the Dots

OT/IT convergence needs to be a team sport. Or else almost everyone loses.

The TCP/IP stack made it easy for billions of devices to connect over the internet in just a few decades, starting in the 1990s. Now we’re expecting more than 75 billion devices to be connected by 2025. Maybe TCP/IP was too good at its initial mission to ensure easy, rapid connectivity. But that’s just chapter one of the emerging cyber security problem.

Chapter two is even bigger, from both an opportunity and damage standpoint. The key to understanding the risk isn’t to quantify it in terms of more infected computers but rather unauthorized control over physical environments. Bruce Schneier takes us there in his new book Click Here to Kill Everybody: “The Internet, once a virtual abstraction, can now sense and touch the physical world.”

The current defense in depth strategy which has evolved to address stack promiscuity has become so complex even trivial additions to a network can drive significant increases in the operating and capital expenses required for effective defense. We call this reverse correlation (between rising complexity and declining protection) stack fatigue. This was before digitization and the “smart era.”

Digitization is Paving the New Hacker Superhighway

As organizations digitize their office buildings, factories, hospitals and even ships at sea to boost efficiency and productivity, they are exposing critical data and physical system functionality to the internet and cyber attacks. Think of the difference between taking down a hospital billing system and shutting down blood freezers, environmental or even ship controls.

A recent podcast on maritime cybersecurity in response to an article on Threatpost about how hackers could sink a ship at sea puts it in perspective. About ten-plus minutes in Alex Soukhanov, Director and Master Mariner at Moran Cyber coolly explains just how vulnerable the common control systems and sensors in all kinds of smart facilities, floating and terrestrial. Smart water and power systems, smart assembly lines, smart navigation all use common sets of smart devises for managing critical systems.

These systems control the physical environment. Whomever controls them controls virtually everything.

Digitization is accelerating the convergence of OT/IT infrastructures and in turn creating a new generation of high growth and ultra-permeable attack surfaces. The proliferating attack vectors in this new converged network are increasing complexity, degrading protection and exposing mission critical systems to unauthorized access as even primitive malware can go global in a matter of days.

The number of vulnerabilities discovered in industrial control systems (ICS) grew 30% in 2018 compared to the prior year, with the share of critical or high severity vulnerabilities increasing by 17%, according to a report from Positive Technologies published Thursday.

Targeting of devices used in industrial, energy infrastructure, and manufacturing settings has increased over the past several years, as state-sponsored groups have sought to gain access to industrial systems for espionage purposes.

In 2018 I moderated a Future in Review panel on Russian cyber meddling in Ukraine. One of my comments during the panel (“What happens in Ukraine doesn’t stay in Ukraine.”) ended up making it into Newsweek only to be inadvertently validated by the Russian election interference news cycle. At the time I was referring to the IoT malware outbreaks that had spread from Ukraine to the rest of the world, not the Russian election meddling about to seize headlines for months.

Maybe it doesn’t even need to be a hybrid war. Maybe it will be a cyber war.

You don’t have to be a military history buff to understand the impact of technology on warfare, from Greek fire or even the horse and chariot in ancient times, to the role of mechanized armor in the lightning fast and virtually painless French capitulation in early WW2. The ongoing pattern of Russian “trust attacks against culture and systems” suggests the world has already entered a new era of vulnerability unlike any other. And we’re not prepared by any means.

Earlier today I listened to a timely podcast on maritime cyber security. About 10 minutes in it gets quite chilling as the discussion shifts to how easy it might be to capsize a ship and similarly attack control systems from factories to power grids. In other words, widely available knowledge is enough to threaten mayhem. While hackers would have to know how to manipulate specialized systems in some cases, control systems are fairly universal across vessel types and types of land-based smart buildings.

A recent article on health care cyber attacks similarly explored all kinds of IoT attacks, from shutting down hospitals (which has happened) to generating false findings and records. Conclusion: ships, hospitals, factories, buildings are increasingly sharing interconnected device infrastructures which can be compromised with common cyber attack skills.

What happens in Ukraine could happen anywhere else… based on the motives of the attacker.

Last month I wrote about OT/IT convergence and cyber security, or the connection of more smart devices to the Internet, the resulting attack vector sprawl, and how ill-prepared traditional IT processes and solutions are equipped to protect this new converged infrastructure.

After listening to the podcast I wondered if French military leaders watched the rise of the petroleum era and said to themselves “But that couldn’t happen here” (in French, of course), or were they merely preoccupied with what they needed in WW1? Are we in the West making the same mistake, measuring military capabilities based on past technologies and circumstances? Do we see these tests as Nolan did, as a very disruptive evolution of warfare? (BTW- Nolan is A former U.S. Air Force special operations pilot and a veteran of the wars in Afghanistan and Iraq)

Given the capabilities of an attacker to take down infrastructure, including ships and hospitals, and bring them up again as needed, are we seeing the emergence of something much more powerful and game-changing?

e-Tron Bomb Anyone?

Remember the neutron bomb that would kill people and leave buildings intact? How about an attack that shuts down everything “smart” and can turn it back on without having to even land on a beach or cross a physical border. If so, would the next war be cyber and end with a whimper instead of a bang, like the fast conquest of a nation with a proud military history?

As I mentioned in OT/IT Convergence I had the chance to meet someone responsible for securing and isolating control infrastructure for a state-wide array of more than 600 smart buildings, ranging from campus offices to remote agricultural labs, in a matter of weeks without adding additional headcount.

Today my teammates at Tempered Networks rolled out a 10 page ebook of why he did it and how he did it. Yes… it’s pretty amazing. Click on the image to get the rest of the story…

So much has changed since the creation of the TCP/IP stack. Work on the stack began in 1973 and the first public WAN was initiated in 1982 (see this timeline for a great point of reference). About a decade later network security solutions started appearing in response to various emerging threats.

The “first automated worm appeared on the ARPANET in 1988,” the same year CERT (Computer Emergency Response Team) came into existence. About this time a NASA employee is credited with creating the first “virtual firewall” in response to a virus.

“…before the 90s, the concept of having a network of computers was fairly uncommon. And, there was a considerably small number of people in the populace who even had access to the internet. So, security at that time was really not a major concern or focus.” – InformationSecurityBuzz

Fast Connectivity Led to Hyper Growth

The TCP/IP stack made it easy for millions and then billions of devices to connect over just a few decades, starting in the 1990s. Now we’re expecting more than 75 billion devices connected by 2025. It would be one thing if all of these connected devices were communicating on consolidated pipes where defense in depth could be enforced. But that’s not the case.

Hyper Growth has Led to Escalating Complexity and Stack Fatigue

That was then. This is now. While the high growth in connectivity is part of the security problem, the rise of complexity fostered by layers of manually-tuned solutions is driving up costs and demands for security skills well ahead of the supply. Hence the expression expense in depth (versus defense in depth) cited way back in 2012 when these problems were in their infancy, at least compared to today.

Want evidence of stack fatigue? A recent ESG survey found firms reporting problematic shortages of security skills increasing to more than half of those surveyed, up from 42% in 2015. No one is shocked anymore by the skills gap, even as the level of information security spending passes $114B in 2019: more devices + more manual processes = more skilled pro shortages.

“Every year in the U.S., 40,000 jobs for information security analysts go unfilled, and employers are struggling to fill 200,000 other cyber-security related roles, according to cyber security data tool CyberSeek. And for every ten cyber security job ads that appear on careers site Indeed, only seven people even click on one of the ads, let alone apply.” – Jeff Kauflin, The Fast-Growing Job With A Huge Skills Gap: Cyber Security – Forbes

As the gap grows between rising complexity and declining protection, CISOs are forced to expend larger levels of resources simply to preserve protection. Beyond the increase of high prfile (and unreported) successful attacks, there is yet another problem, CISO churn (see CISO careers: Several factors propel high turnover- by Mekhala Roy for SearchCISO):

If the CISOs aren’t demonstrating that their investments and controls are having a positive impact on the organization, their requests for larger budgets or reprioritization of business priorities become more challenging as the years progress, making another job opportunity more enticing.

OT/IT Convergence means New Potentials for Attack Vector Sprawl

Against this backdrop of rising complexity, declining protection, skill shortages and CISO turnover comes a new and more potentially lethal development: the convergence of entire networks of operationally critical one-to-many sensors and control infrastructures with the internet and already overwhelmed enterprise networks.

OT/IT convergence introduces a new sprawl of attack vectors beyond anything a firewall or segmentation solution was ever architected to protect is the next challenge for the TCP/IP stack.

Remember the “dimes” scene from Blazing Saddles when a toll booth in the middle of the desert stops Hedley Lamarr’s army? It’s the ultimate attack vector metaphorical satire.

Perhaps TCP/IP was too good at its mission of establishing radical growth in connectivity, albeit with little regard to security. If so, then the convergence of OT/IT infrastructure won’t be well served by the extension of overtaxed information security infrastructure into complex, noisy and critical sensor and control infrastructures, many of which have never been (or cannot be) patched.

A “Grim Gap” between IT and OT Isolation Requirements

This point and others are well made in A Grim Gap, including conflicting processes and priorities between OT/IT, from security versus safety trade-offs to the nature of the devices connected, especially when it comes to common field devices and networks:

Weiss said he has repeatedly warned… existing cybersecurity and safety standards do not adequately address the security and authentication vulnerabilities of legacy field devices and their networks.

– Sonal Patel, A Grim Gap: Cybersecurity of Level 1 Field Devices, Power

“The tools we are working with today to put sensors on networks were not designed to handle the diversity of devices becoming networked, the scope of new capabilities, the need to carefully manage power requirements, and the massive volume of data-points generated from device interactions.”

Yet Harbor acknowledges that a few players are flirting with a potential solution. That’s not very comforting as more building and industrial control systems are already being optimized with network and Internet connectivity.

If not TCP/IP layered with defense in depth for smart buildings (for example), then what? That’s the question, because anything that increases stack fatigue will only widen the gap and produce incremental, declining outcomes. So perhaps it needs to be augmented with a new layer developed for the new control systems and IIoT era.

Marketer’s Corner

Across 30 years of B2B marketing I’ve seen my fair share of changes. The last ten years have probably been the most disruptive, especially when it comes to content marketing. Here is a list of the top four reasons why content marketing campaigns fail:

Weak prospect engagement. The decline of print publishing combined with the rise of marketing automation tools powered with lists provided by unscrupulous list brokers has created a storm of intent and identity confusion destroying the conditions for real dialogue. The result is a top of funnel “nuclear winter” (see my recent interview with Integrate’s Scott Vaughan) that is degrading prospect engagement, especially at top of funnel.

Scarce and expensive sales resources. High caliber sales people are expensive and hard to find. With weak engagement (see #1) those resources become even more expensive, because more time is wasted trying to manually resolve prospect identity and intent.

Trust and expertise is hard to establish. Attention spans are getting shorter and prospects are getting bombarded with content. Social bookmarking sites are getting flooded with content, and several are moderated by vendors, limiting dialogue. Some sites have even capped views/shares to encourage sponsored content programs.

Irrelevance. Some marketers focus on list and/or lead costs over quality, which leads to wasted sales resources and turnover. I remember getting approached at trade shows to swap badge scan lists so a marketing VP could make an incentive target. I refused, explaining that we only wanted to engage with people qualified at the booth, not attendees in general. The VP didn’t have responsibility for conversion and didn’t care.

Why do these factors matter? Because they have a direct impact on sales conversion rates (meetings, opportunities, win/loss). Many marketers are improperly evaluated based on cost per lead, when conversion rates matter far more to overall sales and marketing success.

Cheap lists can be one of your most expensive investments. Lists generated by media engagement will be filled with false positives and negatives, so the costs of qualification are passed onto your sales team and drive up sales costs.

Defining Excellence

If your sales team is converting more than twenty percent of marketing qualified leads to engagement you’re in pretty good shape. I’ve seen conversion rates approaching fifty percent for some types of advanced campaigns. Even better, the high sales costs issue mentioned above gets resolved if sales people are fully engaged and converting meetings to opportunities and closed/won.

Watching the strategic and near perfect strategic pivot VMware has made since its failed IaaS venture has been nothing short of awe-inspiring. Very few companies can make such a shift hence the graveyard of once high growth (and now walking dead) tech companies busy managing layoffs and pension expenses to extend their runways.

If VMware could get $2k/year for each server (traditional and x86), that would amount to an additional TAM of $60B based on a three year refresh rate. Yet that would represent a major business model shift and limit the amount of lock-in that VMware would have over its customers operating on its private cloud platform. It could face margin erosion for its core lines.

Who knows if those economic projections from the days of AWS hybrid cloud denial will come to fruition. I think thanks to VMware’s “immaculate hybrid cloud execution” we may find out that hybrid cloud agility is the game changer of game changers.

That’s why today’s news announcing even cozier relationships between AWS and VMware (Amazon deepens its partnership with VMware to go after companies that don’t use the cloud) doesn’t come off as an anomaly or shallow PR proclamation but rather a careful, long game strategy grounded in execution. It is setting a bigger stage for the cloud, beyond, even, the incredible vision of Amazon. Time will tell, but so far VMware is vying for tech leadership on a new scale. Bravo!

Indeed, while its competitors languish in swirling proclamations obfuscating business as usual and various flavors of entrapment, VMware shifts into higher gears and sets in motion the change it first promised with the lofty acquisition of Nicira and the declaration of the hybrid cloud promise.